Daobook

Legal

Australian Privacy Principles

How Daobook applies each of the 13 Australian Privacy Principles in practice.

Last updated April 13, 2026

Daobook is operated by Emba Digital (ABN 89 683 319 486), an APP entity under the Privacy Act 1988 (Cth). This page describes, principle by principle, what Daobook actually does to apply each of the 13 Australian Privacy Principles (APPs). It is written to sit alongside our Privacy Policy and Data Security pages, which contain the supporting detail.

A note on roles before we start: Daobook holds two kinds of personal information.

  • Practitioner and clinic-staff information (people with a Daobook login) — Emba Digital is the APP entity here.
  • Client/patient information entered by clinics — the treating clinic is the APP entity; Daobook processes that information on the clinic's behalf.

Patients seeking access or correction of their record should contact their clinic first. Daobook will assist where it is appropriate to do so.

APP 1 — Open and transparent management of personal information

Our Privacy Policy sets out what we collect, why, who else we share it with, and how to make a complaint. It is linked from the footer of every page on daobook.com.au and from inside the Daobook application. This page complements it by describing how each APP is applied. Both are reviewed when our practices change.

APP 2 — Anonymity and pseudonymity

Where it is lawful and practicable to do so, we let people deal with us anonymously or by a pseudonym. In practice:

  • Browsing daobook.com.au, our public marketing pages, and our public tutorials does not require an account.
  • A Daobook practitioner account requires a real name and email so we can bill the subscription, contact the account holder, and (where displayed) record the prescribing practitioner against clinical records.
  • Clinics may choose to record clients under initials, internal client codes, or pseudonyms inside Daobook. That is a clinical decision for the clinic.

APP 3 — Collection of solicited personal information

We only collect personal information that is reasonably necessary for, or directly related to, providing the Daobook service. Sensitive information (including health information) is collected only with consent and only because the platform exists to manage clinical records. The categories we collect are listed in the Privacy Policy.

APP 4 — Dealing with unsolicited personal information

If we receive personal information we did not ask for and could not have lawfully collected under APP 3, we destroy or de-identify it as soon as practicable, provided that doing so is lawful and reasonable.

APP 5 — Notification of the collection of personal information

We notify individuals about collection in the following ways:

  • Practitioners and clinic staff are presented with this Privacy Policy at sign-up and acceptance is recorded against the account.
  • Clients of a clinic who fill in an intake form, request a booking, or accept a treatment-consent form are shown the relevant disclosures and the clinic's own privacy notices, and their acceptance is timestamped against their record.
  • Individual notification by Daobook is generally not practicable for client records that practitioners enter directly from their own intake conversations; the clinic remains the APP entity for those collections.

APP 6 — Use or disclosure of personal information

Personal information is used only for the purpose for which it was collected and for directly related secondary purposes that the individual would reasonably expect — for example, sending a booking confirmation, issuing an invoice for a completed appointment, or contacting a practitioner about an issue with their account.

Patient information entered by clinics is used only to operate the practice-management features the clinic uses. We do not use it for marketing, profiling, model training, or sale, and we do not share it across clinics.

APP 7 — Direct marketing

Daobook does not send direct marketing to clinics' clients. We may send Daobook product news and educational content to practitioner account holders; every such email contains a one-click unsubscribe and you can also opt out from your account's notification settings. Transactional messages (invoices, password resets, service notifications) are not marketing and continue regardless of marketing preferences.

APP 8 — Cross-border disclosure of personal information

Daobook is hosted in Australia (AWS Sydney). Some processing is performed by service providers based overseas. The current list, with locations, is in the Privacy Policy and includes Stripe, Square, Twilio, Sentry, ZeptoMail, Anthropic, OpenAI, and (for opt-in features) Google Calendar, Cliniko, Xero, and Shopify.

Before we engage an overseas processor we take reasonable steps to confirm they will handle the information consistently with the APPs — through their published privacy program, contractual commitments, and any applicable certifications. You acknowledge that information processed overseas may be subject to the laws of those jurisdictions.

APP 9 — Government related identifiers

Daobook does not collect or use Australian government identifiers such as Tax File Numbers, Medicare numbers, Centrelink CRNs, or Individual Healthcare Identifiers. The only registration number recorded against a practitioner is their AHPRA registration number, which is a profession-regulator identifier rather than a government related identifier within the meaning of APP 9.

APP 10 — Quality of personal information

The information held in Daobook is largely entered and maintained by the people it concerns (for practitioner accounts) or by the treating clinic (for client records). We provide editing tools throughout the application so that information can be kept accurate, up-to-date, and complete. Where we become aware that information we hold is wrong, we will correct it.

APP 11 — Security of personal information

Daobook is hosted on AWS in Sydney, with TLS in transit, AWS-managed AES-256 encryption at rest, role-based access inside the application, two-factor authentication and passkey support for accounts, automated daily database backups, and tenant isolation between clinics. Personal information is destroyed or de-identified when it is no longer needed and the retention lifecycle for cancelled accounts has run its course. Full detail is on the Data Security page.

APP 12 — Access to personal information

Practitioner account holders can:

  • View and edit their own profile, registration details, billing details, and notification preferences directly in Daobook.
  • Export the clinic's records — clients, consultations, prescriptions, appointments, invoices, communications, formulas, herbs, contacts, products, and provider numbers — to CSV at any time.
  • Request a copy of any other personal information we hold by emailing admin@daobook.com.au. We will respond within a reasonable period, normally within 30 days.

For clients of a clinic, the clinic is the access point for their own record. If a clinic is unable or unwilling to act on a request and the individual has already approached them, Daobook will assist where it is appropriate to do so.

APP 13 — Correction of personal information

Practitioners can correct any information they hold inline through the standard editing tools in Daobook. To correct any other personal information Daobook holds about you, email admin@daobook.com.au and we will make the correction or, if we disagree, give written reasons and note the disputed information against the record. Where we have shared corrected information with another entity, we will notify that entity unless impracticable or unlawful.

Complaints

If you think we have not met our obligations under the Australian Privacy Principles, please email admin@daobook.com.au with the details. We will acknowledge the complaint and aim to respond substantively within 30 days. If you are not satisfied, you can take the matter to the Office of the Australian Information Commissioner at oaic.gov.au.